Alfresco CMS permission hooking

Integration between Alfresco and Findwise i3

In Findwise we have been working on creating a custom AMP (Alfresco Module Package… essentially a nicely packeted extension to Alfresco) for quite a while making a nice integration between Alfresco and Findwise i3.

Alfresco is essentially an open source SharePoint written in Java. It’s a CMS (Content Management System), where the basic functionality is to allow end users to import his/her documents, to make them easy to manage and find later on.

Findwise i3 is built on top of a number of open source products, like Solr, Elastic Search etc. and its purpose is to provide a nice, clean, pluggable pipelined framework for loading in data in one end, making them searchable and applying search aspects to the documents, to allow for searching intelligently on subsets of data. Further it’s also a pluggable framework for presenting a nice web based search frontend, where the defined search aspects can be selected, along with all other criteria’s and nicely formatted and organized search result sets.

So why integrate the two?

There are many users of Alfresco around the world, and there are also many users of Findwise search functionality. As Findwise framework allows for making lots of different data searchable across an organization, it makes sense also to be able to search data stored in Alfresco, as just one of these many sources. That’s the background for the project and why we entered integrating the two.

Plugging into Alfresco’s repository (which stores documents) is fairly easy, because the developers of Alfresco have prepared hooks one can use. Thus it’s possible to get informed about whenever a document is added into Alfresco, when its content is changed, or when it’s deleted. On each of these occasions, we want to let Findwise i3 know about it, so it can live update its databases, and thus always provide relevant, current data for the end-users. As said, this is fairly straightforward and documented in the Alfresco documentation.

However, there is another scenario, for which no nice solution exists in Alfresco. Namely hooking into when permissions are changed on documents stored in Alfresco.

Why do we need information about permission changes?

Because Findwise i3 of course respects the IT security roles and settings defined in a company’s infrastructure. It wouldn’t be cool to have a document protected by ownership or security roles within Alfresco, but at the same time be fully accessible via the Findwise search API. So we need to be informed about all permission changes made to each and every document hosted within Alfresco. All permission requests and settings within Alfresco happens via the PermissionService interface (permissionService implementation).

So one could choose to replace or override that class with one of our own. That would result in having to dig deep into Alfresco’s configuration, with the risk that when a minor update of Alfresco is installed, our overridden class will have to be reconfigured into the Alfresco configuration once again. That’s basically a mess and should be avoided at all costs. We would much rather prefer to have the nicely AMP package, for which exists simple to use tools to reinstall into an Alfresco installation, be able to hook also the permission events.

The preferred way to do that is to create a method interceptor. That’s actually a Spring thing, and as Alfresco is built upon Spring, it makes sense to use one of those. The interceptor does exactly that, intercepts all method calls for a particular class or interface for which it has been registered. The easy part is to make the interceptor, the difficult part (due to its not very well described) is to have it registered from within the AMP itself

The following is skeleton code for a method interceptor:

screen-shot-2016-12-21-at-09-49-07

And this is how to register it in your AMP’s service-context.xml

screen-shot-2016-12-21-at-10-17-21

When you register your AMP with Alfresco using the usual apply_amps script, your new interceptor class will spring into life when a method on the PermissionService interface is called. It’s actually pretty simple, but the hard part is to figure out the registration process, and provide the correct case and naming for the PermissionService. We have spent quite allot of time searching for this on Google, reading the Alfresco documentation and only found fragments that didn’t show the whole picture.

Now we hope our findings were helpful to others.

Written by: Kim Bo Madsen, Consultant Findwise